[Yandex Cloud documentation](../../../index.md) > [Yandex Application Load Balancer](../../index.md) > [Tutorials](../index.md) > [Creating an L7 load balancer with DDoS protection](index.md) > Management console, CLI

# Creating an L7 load balancer with DDoS protection using the management console or CLI


To create an L7 load balancer with DDoS protection using the Yandex Cloud management console or CLI:

1. [Get your cloud ready](#before-begin).
1. [Create a cloud network](#create-network).
1. [Create security groups](#create-security-groups).
1. [Create an instance group](#create-vms).
1. [Reserve a static public IP address](#reserve-ip).
1. [Create a backend group](#create-backend-group).
1. [Create an HTTP router](#create-http-routers-sites).
1. [Create an L7 load balancer](#create-balancer).
1. [Test the load balancer](#test).

If you no longer need the resources you created, [delete them](#clear-out).


## Get your cloud ready {#before-begin}

Sign up for Yandex Cloud and create a [billing account](../../../billing/concepts/billing-account.md):
1. Navigate to the [management console](https://console.yandex.cloud) and log in to Yandex Cloud or create a new account.
1. On the **[Yandex Cloud Billing](https://center.yandex.cloud/billing/accounts)** page, make sure you have a billing account linked and it has the `ACTIVE` or `TRIAL_ACTIVE` [status](../../../billing/concepts/billing-account-statuses.md). If you do not have a billing account, [create one](../../../billing/quickstart/index.md) and [link](../../../billing/operations/pin-cloud.md) a cloud to it.

If you have an active billing account, you can create or select a [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder) for your infrastructure on the [cloud page](https://console.yandex.cloud/cloud).

[Learn more about clouds and folders here](../../../resource-manager/concepts/resources-hierarchy.md).


### Required paid resources {#paid-resources}

The infrastructure support cost for a DDoS-protected load balancer includes:

* Fee for continuously running [VMs](../../../compute/concepts/vm.md) (see [Yandex Compute Cloud pricing](../../../compute/pricing.md)).
* Fee for using a [public static IP address](../../../vpc/concepts/address.md#public-addresses) (see [Yandex Virtual Private Cloud pricing](../../../vpc/pricing.md)).
* Fee for filtering incoming traffic to a public IP address with [DDoS protection](../../../vpc/ddos-protection/index.md) (see [Yandex Virtual Private Cloud pricing](../../../vpc/pricing.md#prices-ddos-protection)).
* Fee for using computing resources of the [L7 load balancer](../../concepts/index.md) (see [Application Load Balancer pricing](../../pricing.md)).


## Prepare a service account {#prepare-sa}

{% note alert %}

When creating instance groups, keep the [limits](../../../compute/concepts/limits.md) in mind. To ensure Instance Groups runs properly, don't manually modify or delete any of the resources it created: [target group](../../concepts/target-group.md) Application Load Balancer, VMs, or disks. Instead of this, change or delete the entire group.

{% endnote %}

In Instance Groups, all operations are performed under a service account. If you don't have a service account, [create one](../../../iam/operations/sa/create.md).

To be able to create, update, and delete VMs in the group, as well as integrate the group with an Application Load Balancer L7 load balancer, [assign](../../../iam/operations/sa/assign-role-for-sa.md) the `editor` [role](../../../iam/concepts/access-control/roles.md) to the service account.

## Create a cloud network {#create-network}

All resources you create in the tutorial will belong to the same [cloud network](../../../vpc/concepts/network.md).

To create a network:

{% list tabs group=instructions %}

- Management console {#console}

  1. Open the [management console](https://console.yandex.cloud).
  1. Navigate to **Virtual Private Cloud**.
  1. Click **Create network**.
  1. Enter `ddos-network` as the network name.
  1. In the **Advanced** field, select **Create subnets**.
  1. Click **Create network**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. Create a cloud network in the default [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder):

     ```bash
     yc vpc network create \
       --name ddos-network
     ```

     For more information about the `yc vpc network create` command, see the [CLI reference](../../../cli/cli-ref/vpc/cli-ref/network/create.md).

  1. Create [subnets](../../../vpc/concepts/network.md#subnet) in each [availability zone](../../../overview/concepts/geo-scope.md) by specifying the cloud network ID using the `--network-name` parameter:

     ```bash
     yc vpc subnet create \
       --name ddos-network-ru-a \
       --network-name ddos-network \
       --zone ru-central1-a \
       --range 192.168.0.0/24
     ```

     ```bash
     yc vpc subnet create \
       --name ddos-network-ru-b \
       --network-name ddos-network \
       --zone ru-central1-b \
       --range 192.168.1.0/24
     ```

     ```bash
     yc vpc subnet create \
       --name ddos-network-ru-d \
       --network-name ddos-network \
       --zone ru-central1-d \
       --range 192.168.2.0/24
     ```

     For more information about the `yc vpc subnet create` command, see the [CLI reference](../../../cli/cli-ref/vpc/cli-ref/subnet/create.md).

{% endlist %}


## Create security groups {#create-security-groups}

[Security groups](../../concepts/application-load-balancer.md#security-groups) include rules that allow the load balancer to receive inbound traffic and redirect it to the VMs so they can receive it. In this tutorial, we will create two security groups: one for the load balancer and another one for all VMs.

To create security groups:

{% list tabs group=instructions %}

- Management console {#console}

  1. Open the [management console](https://console.yandex.cloud).
  1. Navigate to **Virtual Private Cloud**.
  1. In the left-hand panel, select ![image](../../../_assets/console-icons/shield.svg) **Security groups**.
  1. Create a security group for the load balancer:

     1. Click **Create security group**.
     1. Specify the security group **Name**: `ddos-sg-balancer`.
     1. Select **Network** `ddos-network`.
     1. Under **Rules**, create the following rules using the instructions below the table:

        Traffic<br>direction | Description | Port range | Protocol | Source /<br>destination | Add
        --- | --- | --- | --- | --- | ---
        `Outbound` | `any` | `All` | `Any` | `CIDR` | `0.0.0.0/0`
        `Inbound` | `ext-http` | `80` | `TCP` | `CIDR` | `0.0.0.0/0`
        `Inbound` | `ext-https` | `443` | `TCP` | `CIDR` | `0.0.0.0/0`
        `Inbound` | `healthchecks` | `30080` | `TCP` | `Load balancer healthchecks` | —

        1. Select the **Egress** or **Ingress** tab.
        1. Click **Add**.
        1. In the **Port range** field of the window that opens, specify a single port or a range of ports open for inbound or outbound traffic.
        1. In the **Protocol** field, specify the appropriate protocol or leave `Any` to allow traffic transmission over any protocol.
        1. In the **Destination name** or **Source** field, select the rule purpose:

           * `CIDR`: Rule will apply to the range of IP addresses. In the **CIDR blocks** field, specify the CIDRs and masks of subnets traffic will move to/from. To add multiple CIDRs, click **Add**.
           * `Security group`: Rule will apply to the current or selected security group VMs.
           * `Load balancer healthchecks`: Rule allowing a load balancer to health-check VMs.

        1. Click **Save**. Repeat these steps to create all rules from the table.

     1. Click **Save**.

  1. Similarly, create a security group for the VM named `ddos-sg-vms` with the same `ddos-network` and the following rules:

     Traffic<br>direction | Description | Port range | Protocol | Source | CIDR blocks
     --- | --- | --- | --- | --- | ---
     `Inbound` | `balancer` | `80` | `TCP` | `Security group` | `ddos-sg-balancer`
     `Inbound` | `ssh` | `22` | `TCP` | `CIDR` | `0.0.0.0/0`

- CLI {#cli}

  To create a security group for your load balancer, run this command:

  ```bash
  yc vpc security-group create \
    --name ddos-sg-balancer \
    --rule "direction=egress,port=any,protocol=any,v4-cidrs=[0.0.0.0/0]" \
    --rule "direction=ingress,port=80,protocol=tcp,v4-cidrs=[0.0.0.0/0]" \
    --rule "direction=ingress,port=443,protocol=tcp,v4-cidrs=[0.0.0.0/0]" \
    --rule "direction=ingress,port=30080,protocol=tcp,predefined=loadbalancer_healthchecks" \
    --network-name ddos-network
  ```

  To create a security group for your VM, run this command:

  ```bash
  yc vpc security-group create \
    --name ddos-sg-vms \
    --rule "direction=ingress,port=22,protocol=tcp,v4-cidrs=[0.0.0.0/0]" \
    --rule "direction=ingress,port=80,protocol=tcp,security-group-id=<security_group_ID>" \
    --network-name ddos-network
  ```

  Where `security-group-id` is the `ddos-sg-balancer` security group ID.

  For more information about the `yc vpc security-group create` command, see the [CLI reference](../../../cli/cli-ref/vpc/cli-ref/security-group/create.md).

{% endlist %}


## Create an instance group {#create-vms}

Your application backends will be deployed on the VM instance from the [target group](../../concepts/target-group.md). The VM target group will be connected to the load balancer, thus enabling requests to the backend endpoints of your application. A minimum configuration [instance group](../../../compute/concepts/instance-groups/index.md) is sufficient for this tutorial.

To create an instance group:

{% list tabs group=instructions %}

- Management console {#console}

  1. Open the [management console](https://console.yandex.cloud).
  1. Navigate to **Compute Cloud**.
  1. In the left-hand panel, select ![image](../../../_assets/console-icons/layers-3-diagonal.svg) **Instance groups**. Click **Create group of virtual machines**.
  1. Under **Basic parameters**:

     * Enter the instance group **Name**: `ddos-group`.
     * Select the [service account](../../../iam/concepts/users/service-accounts.md) from the list or create a new one. To be able to create, update, and delete VMs in the group, as well as integrate the group with an Application Load Balancer L7 load balancer, [assign](../../../iam/operations/sa/assign-role-for-sa.md) the `editor` [role](../../../iam/concepts/access-control/roles.md) to the service account.

  1. Under **Allocation**, select multiple availability zones to ensure the fault tolerance of your hosting.
  1. Under **Instance template**, click **Define** to configure the base VM instance:

     * Under **General information**, enter a **Description** for the template.
     * Under **Boot disk image**, open the **Marketplace** tab and click **Show all Marketplace products**. Select [LEMP](https://yandex.cloud/en/marketplace/products/yc/lemp) and click **Use**.
     * Under **Disks and file storages**, specify:

       * **Type**: `HDD`
       * Disk **Size**: `3 GB`

     * Under **Computing resources**, specify:

       * **Platform**: `Intel Cascade Lake`
       * **vCPU**: `2`
       * **Guaranteed vCPU performance**: `5%`
       * **RAM**: `1 GB`

     * Under **Network settings**:

       * Select the cloud network named `ddos-network` and its subnets.
       * In the **Public address** field, select `Auto`.
       * Select the `ddos-sg-vms` security group.

     * Under **Access**, specify the VM access credentials:

       * In the **Login** field, enter the username.
       * In the **SSH key** field, paste the contents of the public key file.

        To establish an SSH connection, you need to create a key pair. For more information, see [Creating an SSH key pair](../../../compute/operations/vm-connect/ssh.md#creating-ssh-keys).

     * Click **Save**.

  1. Under **Scaling**, specify the instance group **Size**: `2`.
  1. Under **Integration with Application Load Balancer**, select **Create target group** and enter `tg-ddos` as the group name. [Read more about target groups](../../concepts/target-group.md).
  1. Click **Create**.

- CLI {#cli}

  1. Get the resource IDs required to create an instance group using the following commands:

     * [yc iam service-account get <service_account_name>](../../../cli/cli-ref/iam/cli-ref/service-account/get.md): For the service account.
     * [yc vpc network get ddos-network](../../../cli/cli-ref/vpc/cli-ref/network/get.md): For `ddos-network`.
     * [yc vpc subnet get <subnet_name>](../../../cli/cli-ref/vpc/cli-ref/subnet/get.md): For the `ddos-network-ru-a`, `ddos-network-ru-b`, and `ddos-network-ru-d` subnets.
     * [yc compute image get-latest-by-family lemp --folder-id standard-images](../../../cli/cli-ref/compute/cli-ref/image/get-latest-from-family.md): For the boot disk image.
     * [yc vpc security-group get ddos-sg-vms](../../../cli/cli-ref/vpc/cli-ref/security-group/get.md): For the `ddos-sg-vms` security group.

  1. Create a YAML file named `specification.yaml`.
  1. Add to it the description of the base instance configuration:

     ```yaml
     name: ddos-group
     service_account_id: <service_account_ID> // The service account must have the editor role.
     description: "DDoS alb scenario"
     instance_template:
         platform_id: standard-v3
         resources_spec:
             memory: 1g
             cores: 2
             core_fraction: 5
         boot_disk_spec:
             mode: READ_WRITE
             disk_spec:
                 image_id: <image_ID>
                 type_id: network-hdd
                 size: 3g
         network_interface_specs:
             - network_id: <cloud_network_ID>
               subnet_ids:
                 - <subnet_ID_in_ru-central1-a>
                 - <subnet_ID_in_ru-central1-b>
                 - <subnet_ID_in_ru-central1-d>
               primary_v4_address_spec: {}
               security_group_ids:
                 - <security_group_ID>
     deploy_policy:
         max_unavailable: 1
         max_expansion: 0
     scale_policy:
         fixed_scale:
             size: 2
     allocation_policy:
         zones:
             - zone_id: ru-central1-a
             - zone_id: ru-central1-b
             - zone_id: ru-central1-d
     application_load_balancer_spec:
         target_group_spec:
             name: tg-ddos
     ```

     Where `security_group_ids` is the `ddos-sg-vms` security group ID.

  1. Create an instance group in the default folder:

     ```bash
     yc compute instance-group create \
       --file specification.yaml
     ```

     Result:

     ```text
     done (25s)
     id: cl1qjhlcdofg********
     folder_id: b1g86q4m5vej********
     created_at: "2021-08-30T19:25:02.031Z"
     name: ddos-group
     description: DDoS scenario
     instance_template:
       platform_id: standard-v2
       resources_spec:
         memory: "1073741824"
         cores: "2"
         core_fraction: "5"
       boot_disk_spec:
         mode: READ_WRITE
         disk_spec:
           type_id: network-hdd
           size: "3221225472"
           image_id: fd8r6kq84o7b********
       network_interface_specs:
       - network_id: enp3srbi9u49********
         subnet_ids:
         - e9b17pi15695********
         - e2lt87g1rlig********
         - b0c7kl8riq24********
         primary_v4_address_spec: {}
         security_group_ids:
         - enpi08rif04d********
       scheduling_policy: {}
     scale_policy:
       fixed_scale:
         size: "2"
     deploy_policy:
       max_unavailable: "1"
       startup_duration: 0s
       strategy: PROACTIVE
     allocation_policy:
       zones:
       - zone_id: ru-central1-a
       - zone_id: ru-central1-b
       - zone_id: ru-central1-d
     load_balancer_state: {}
     managed_instances_state:
       target_size: "2"
     service_account_id: aje2stn6id9k********
     status: ACTIVE
     application_load_balancer_spec:
       target_group_spec:
         name: first-target-group
     application_load_balancer_state:
       target_group_id: ds78imh0ds2e********
     ```

     For more information about the `yc compute instance-group create` command, see the [CLI reference](../../../cli/cli-ref/compute/cli-ref/instance-group/create.md).

{% endlist %}


## Reserve a static public IP address {#reserve-ip}

{% note info %}

You cannot do this using the [CLI](../../../cli/index.md).

{% endnote %}

To protect a load balancer against DDoS attacks, reserve a static public IP address with the **DDoS protection** option enabled:

{% list tabs group=instructions %}

- Management console {#console}

  1. Open the [management console](https://console.yandex.cloud).
  1. Navigate to **Virtual Private Cloud**.
  1. In the left-hand panel, select ![image](../../../_assets/console-icons/map-pin.svg) **Public IP addresses** and click **Reserve public IP address**.
  1. Select the availability zone where you want to reserve the IP address.
  1. Enable **DDoS protection**.
  1. Click ** Reserve**.

{% endlist %}


## Create a backend group {#create-backend-group}

You must link the target group created along with the instance group to the [backend group](../../concepts/backend-group.md) that defines traffic allocation settings.

For the backends, the groups will implement [health checks](../../concepts/backend-group.md#health-checks): the load balancer will periodically send health check requests to the VMs and expect a response over a certain period.

To create a backend group:

{% list tabs group=instructions %}

- Management console {#console}

  1. Open the [management console](https://console.yandex.cloud).
  1. Navigate to **Application Load Balancer**.
  1. In the left-hand panel, select ![image](../../../_assets/console-icons/cubes-3-overlap.svg) **Backend groups**. Click **Create backend group**.
  1. Enter the backend group **Name**: `ddos-backend-group`.
  1. Under **Backends**, click **Add**.
  1. Enter the backend **Name**: `backend-1`.
  1. In the **Target groups** field, select the `tg-ddos` group.
  1. Specify the **Port** the backend VMs will use to receive inbound traffic from the load balancer: `80`.
  1. Click **Add health check**.
  1. Specify the **Port** the backend VMs will use to accept health check connections: `80`.
  1. Specify the **Path** the load balancer will use for health checks: `/`.
  1. Click **Create**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. Create a backend group:

     ```bash
     yc alb backend-group create ddos-backend-group
     ```

     Result:

     ```text
     id: a5dg2cv4ngne********
     name: ddos-backend-group
     folder_id: aoerb349v3h4********
     created_at: "2021-08-08T20:46:21.688940670Z"
     ```

     For more information about the `yc alb backend-group create` command, see the [CLI reference](../../../cli/cli-ref/application-load-balancer/cli-ref/backend-group/create.md).

  1. Add a backend and a health check to the group:

     ```bash
     yc alb backend-group add-http-backend \
       --backend-group-name ddos-backend-group \
       --name backend-1 \
       --weight 1 \
       --port 80 \
       --target-group-id=<target_group_ID> \
       --http-healthcheck timeout=1s,interval=1s,port=80,path=/
     ```

     Where:
     * `--backend-group-name`: Backend group name.
     * `--name`: Backend name.
     * `--weight`: Backend weight.
     * `--port`: Port.
     * `--target-group-id`: Target group ID.
     * `--http-healthcheck`: Resource health check properties.
       * `port`: Port.
       * `timeout`: Timeout.
       * `interval`: Interval.
       * `host`: Host address.
       * `path`: Path.

     Result:

     ```text
     done (21s)
     id: ds7fea2pggr2********
     name: ddos-backend-group
     folder_id: b1g86q4m5vej********
     http:
     backends:
     - name: backend-1
       backend_weight: "1"
       port: "80"
       target_groups:
         target_group_ids:
         - ds78ate00f8e********
       healthchecks:
       - timeout: 1s
         interval: 1s
         healthcheck_port: "80"
         http:
           path: /
     created_at: "2021-08-08T07:59:22.922603189Z"
     ```

     For more information about the `yc alb backend-group add-http-backend` command, see the [CLI reference](../../../cli/cli-ref/application-load-balancer/cli-ref/backend-group/add-http-backend.md).

{% endlist %}


## Create an HTTP router {#create-http-routers-sites}

The backend group should be linked to an [HTTP router](../../concepts/http-router.md) that defines the HTTP routing rules.

To create an HTTP router and add a route to it:

{% list tabs group=instructions %}

- Management console {#console}

  1. Open the [management console](https://console.yandex.cloud).
  1. Navigate to **Application Load Balancer**.
  1. In the left-hand panel, select ![image](../../../_assets/console-icons/route.svg) **HTTP routers**. Click **Create HTTP router**.
  1. Specify the HTTP router **Name**: `ddos-router`.
  1. Click **Add virtual host**.
  1. Specify the virtual host **Name**: `ddos-host`.
  1. Specify the **Authority** value: `alb-with-ddos.com`.
  1. Click **Add route**.
  1. Enter `route-1` as the **Name**.
  1. In the **Path** field, select `Starts with` and specify the `/` path.
  1. In the **Action** field, keep `Routing`.
  1. From the **Backend group** list, select the group you created earlier.
  1. Do not change the other settings. Click **Create**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. Run this command:

     ```bash
     yc alb http-router create ddos-router
     ```

     Result:

     ```text
     id: a5dcsselagj4********
     name: ddos-router
     folder_id: aoerb349v3h4********
     created_at: "2021-08-08T21:04:59.438292069Z"
     ```

     For more information about the `yc alb http-router create` command, see the [CLI reference](../../../cli/cli-ref/application-load-balancer/cli-ref/http-router/create.md).

  1. Create a virtual host by specifying the HTTP router name:

     ```bash
     yc alb virtual-host create ddos-host \
       --http-router-name ddos-router
       --authority alb-with-ddos.com
     ```

     For more information about the `yc alb virtual-host create` command, see the [CLI reference](../../../cli/cli-ref/application-load-balancer/cli-ref/virtual-host/create.md).

  1. Add a route by specifying the router name and the routing settings:

     ```bash
     yc alb virtual-host append-http-route route-1 \
       --virtual-host-name ddos-host \
       --http-router-name ddos-router \
       --prefix-path-match / \
       --backend-group-name ddos-backend-group \
       --request-timeout 60s
     ```

     Result:

     ```text
     done (1s)
      name: ddos-host
      routes:
      - name: route-1
        http:
          match:
            path:
              prefix_match: /
          route:
            backend_group_id: ds7fea2pggr2********
            timeout: 60s
     ```

     For more information about the `yc alb virtual-host append-http-route` command, see the [CLI reference](../../../cli/cli-ref/application-load-balancer/cli-ref/virtual-host/append-http-route.md).

{% endlist %}


## Create a load balancer {#create-balancer}

To create a load balancer:

{% list tabs group=instructions %}

- Management console {#console}

  1. Open the [management console](https://console.yandex.cloud).
  1. Navigate to **Application Load Balancer**.
  1. In the left-hand menu, select **Load balancers**.
  1. Click **Create L7 load balancer**.
  1. Enter the load balancer name: `ddos-protect-alb`.
  1. Under **Network settings**, select `ddos-network` and the `ddos-sg-balancer` security group.
  1. Under **Allocation**, select the subnets for the load balancer nodes in each availability zone and enable traffic.
  1. Under **Listeners**, click **Add listener**. Configure the listener settings:

     1. Specify the listener name: `ddos-listener`.
     1. Under **Public IP address**, enable traffic.
     1. Set the port to `80`.
     1. Select the **List** type and specify the [previously reserved](#reserve-ip) IP address with DDoS protection.

  1. In the **HTTP router** field, select `ddos-router`.
  1. Click **Create**.

- CLI {#cli}

  1. Create a load balancer with nodes in the cloud network subnets:

     ```bash
     yc alb load-balancer create ddos-protect-alb \
       --network-name ddos-network \
       --location subnet-name=ddos-network-ru-a,zone=ru-central1-a \
       --location subnet-name=ddos-network-ru-b,zone=ru-central1-b \
       --location subnet-name=ddos-network-ru-d,zone=ru-central1-d
     ```

     For more information about the `yc alb load-balancer create` command, see the [CLI reference](../../../cli/cli-ref/application-load-balancer/cli-ref/load-balancer/create.md).

  1. Add a listener:

     ```bash
     yc alb load-balancer add-listener ddos-protect-alb \
       --listener-name ddos-listener \
       --http-router-id <HTTP_router_ID> \
       --external-ipv4-endpoint port=80, address=<IP_address_with_DDoS_protection>
     ```

     For more information about the `yc alb load-balancer add-listener` command, see the [CLI reference](../../../cli/cli-ref/application-load-balancer/cli-ref/load-balancer/add-listener.md).

{% endlist %}

After creating the load balancer, [test](#test) it.

## Test the load balancer {#test}

Check that the service is available on the `alb-with-ddos.com` host. To do this, run the following command:

```bash
curl \
  --header "Host: alb-with-ddos.com" \
  http://<L7_load_balancer_IP_address>
```

Result:

```html
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
  body {
    width: 35em;
    margin: 0 auto;
    font-family: Tahoma, Verdana, Arial, sans-serif;
  }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
```


## How to delete the resources you created {#clear-out}

To shut down the hosting and stop paying for the resources you created:

1. Delete the non-billable resources that prevent the deletion of billable resources:

   1. [Delete](../../operations/application-load-balancer-delete.md) the `ddos-protect-alb` L7 load balancer.
   1. [Delete](../../operations/http-router-delete.md) the HTTP router named `ddos-router`.
   1. [Delete](../../operations/backend-group-delete.md) `ddos-backend-group`.

1. [Delete](../../../compute/operations/instance-groups/delete.md) the instance group named `ddos-group`.
1. [Delete](../../../vpc/operations/address-delete.md) the static public IP address you reserved.

#### See also {#see-also}

* [Creating an L7 load balancer with DDoS protection using Terraform](terraform.md)